Chapter 4

Guidance for Decision Makers

Topics to be covered
▪ Introduction
▪ Policy as a Project
▪ Cyber Security Management
▪ Arriving at Goals
▪ Cyber Security Documentation

▪ Using the Catalog

Introduction
▪ There is no single right way to make sure people are really
understanding and following cyber security policy.
▪ But consciously or unconsciously, every good leader has a
method of getting important messages across.
▪ The middle and lower-level managers facilitate their own
business day-to-day.
▪ These occasionally have unintended consequences on an
organization’s overall cyber security posture.
▪ They require a timely response.
Cont’d…
▪ Adjustments in both strategy and policy must be customized to
the evolving requirements of the organization.
▪ This means cumulatively they point to where formal policy
should evolve.
▪ In order to be effective, cyber security strategy must be a
mainstream part of business, system, or mission planning.
▪ It should not be a sub-component of a technology-only function.
▪ Security theater is created when security concerns within the
business prompt action.
▪ But the action is more visible than effective.
Cont’d…
▪ This is because people think something needs to be done about
security.
▪ So they create activity that looks like security where they think
people want security to be in place.
▪ Security theater does not actually prevent anything bad from
happening.
▪ It just creates the illusion that security is in place.
▪ A common approach to ad hoc security theater is to make it
apparent that cyber security policy affects technology usability.
Cont’d…
▪ Make it harder for people to get into the network, to get to their
data, to use applications, and so on.
▪ Security is somehow perceived as equivalent to cumbersome
levels of approval.
▪ And to authorization workflows that present obstacles to
gaining cyber access.
▪ True security and security theater may have the same
requirements.
Policy as a Project
“Cyber security easily lends itself to a Drucker-style management
cycle for managing by objectives and self-control, observing and
revising plans based on observations”. (Drucker 2001)
▪ The management style also follows military security
recommendations for managing battle-action:
▪ observe the situation,
▪ orient observations based on background knowledge and analysis,
▪ decide on a course of action, act, and
▪ observe the impact of actions on the situation.
▪ These activities, in combination, comprise the management
cycle of an enterprise security program.
Cont’d…
▪ The process by which cyber security policy is established is a
part of that program.
▪ The establishment of cyber security policy requires task
definition, planning, and clear objectives for important initiative.
▪ To create cyber security policy is a project, and should be
managed as one.
▪ As with any project, cyber security policy creation starts with
goals and objectives.
▪ It is also helpful to begin with the recognition that policy follows
business or enterprise strategy, not the reverse.
Cont’d…
▪ Policy is an extremely important component of strategy
execution.
▪ This is because it is used to communicate desired outcomes.
▪ Every policy statement issued by the executives will be
interpreted in the context of
▪ other plans,
▪ objectives, and
▪ operational environments
▪ that complete an organization’s cyber security posture.
Cyber Security Management
▪ Many companies have established a Chief Security Office or
Chief Information Security Office.
▪ But, those offices generally do not have line authority over
operations that are critical to asset preservation and other
security goals.
▪ These offices generally are skilled in the tools and techniques
necessary to enforce security policy.
▪ But often do not have the understanding of business or mission
that would be required to establish one.
▪ Also, many security professionals were trained in industries that
were early security adopters such as military or finance.
Cont’d…
1. Arriving at Goals
To begin the process of developing cyber security policy,
executives may ask themselves:
▪ What assets need to be in place to maintain operations?
▪ Which are the “crown jewels?”
▪ Are these changing and/or evolving with our long-term
business plans?
▪ What cyberspace infrastructure houses or impacts our most
critical assets?
Cont’d…
▪ Do we have any information that should be kept from general
circulation? If so:
▪ What criteria would we use to release it to someone within the
organization?
▪ What criteria would we use to release it to someone outside the
organization?
▪ If someone with access to it left the organization, should it still be
protected?
▪ Do we participate in socio-technical networks with communities
who are hostile to our interests?
▪ Are we subject to cyber threats simply from being a bystander
within a larger community?
Cont’d…
▪ These general environmental aspects of the cyber security leads
to more detailed questions.
▪ These can be probed with the help of a cyber security task force
composed of operations, financial, and technology staff.
▪ Such questions may be found in industry standard literature.
2. Cyber Security Documentation
▪ Policy awareness is a necessary step to complete after policy
development and before implementation.
▪ People are sometimes not aware of the decisions made in
strategy and policy.
Cont’d…
▪ Then they will have no reason to implement in accordance with
them.
▪ This is why security standards, operating procedures, and
guidelines are also often issued in conjunction with policy.
▪ This is to demonstrate how compliance with a given policy
may be achieved.
▪ Procedures are documented step-by-step implementation
instructions.
▪ These are instructions that a technician may follow in order to
be successful in implementing policy and standards.
Cont’d…
▪ Guidelines are the most general type of security document.
▪ They are designed to raise awareness among those who must
comply with policy.
▪ They provide options for policy compliance.
▪ Security professionals like CISOs are often the people who
document cyber security policy.
▪ But these are not necessarily the same set of people as the cyber
security strategists.
▪ Cyber security specialists often act as trusted advisors to
executive decision makers.
Cont’d…
▪ There is also a technique used by cyber security professionals,
both security staff and auditors.
▪ Here policy and standards are translated into a set of questions
about the technology environment.
▪ Directly evaluate technology is replaced by a cyber security
assessor
▪ This contains a series of questions about the security of a given
technology environment.
▪ These questions are typically formulated with a specific cyber
security policy or standard in mind.
Cont’d…
▪ But they do not replace the standard.
▪ They are information-gathering conveniences for the assessor.
▪ An executive fully understands the motivation and origin for
enterprise security policy.
▪ This makes the process for implementation easy to manage as
any other technology endeavor.
Using the Catalog
▪ Each significant social, economic, institutional, and political segment of
the community
▪ has a number of potential resources that can be brought to bear.
▪ There is a role for
▪ police,
▪ private security services,
▪ technology vendors,
▪ government,
▪ insurance industry,
▪ civic groups,
▪ business community,
▪ industry associations, and
▪ citizen organizations.
Cont’d…
▪ Each group’s role needs clarity in its scope and potential impact on
the overall problem.
▪ There is also a large class of policy statements that were omitted
intentionally.
▪ These are technical security configurations for hardware and
software components of cyberspace.
▪ Cyber attacks require coordinated response.
▪ In order to co-ordinate response, one first needs an ability to detect
cyber attacks.
▪ Also access to intelligence with which to analyze them, and a
method and means of response
Cont’d…
▪ Policy should not only address goals.
▪ But also identify key barriers to goal achievement and
anticipate resistance to change.
▪ The resistance may come from sources both internal and
external to the organization.
▪ Those with experience in accountability for security measures
well understand that security policy is often used as a shield
against change.